[CentOS] OpenSSL Update - not a security update???
Alice Wonder
alice at domblogger.net
Mon Mar 7 18:19:22 UTC 2016
On 03/07/2016 10:14 AM, James Washington wrote:
> Hey all,
>
> Sorry to jump in here but out of curiosity, has the patch actually been back ported to earlier versions of OpenSSL regarding the recent DROWN attack? I've checked the RPM change log and nothing's been mentioned relating to CVE-2016-0800 (I think that was the CVE number). Or is this thread not relating to that vulnerability?
>
> Kind regards
>
> James Washington
Drown depends upon SSLv2
I'm not sure if this removed SSLv2 or not but I am not personally aware
of any public services that enabled SSLv2 by default in CentOS 7 anyway,
so unless you have a service supporting SSLv2 you are not vulnerable to
DROWN.
Reality is, you should not have either SSLv2 or SSLv3 enabled on any
service and disabling was best practice long before DROWN.
More information about the CentOS
mailing list